1. Field of the Invention
The present invention relates to providing a secure manner of transferring private information between nodes on a public network. For example, if the public network was the internet, the nodes would be a public network server, the retailer, and a public network client, the consumer. More specifically, the present invention relates to conducting secure commerce over a public network. The commerce can be either the transmission and receipt of electronic data, such as software, or the processing of a payment.
2. Prior Art
The fear of having sensitive information, such as credit card numbers, stolen from a public network during transmission has impeded the growth of commerce on public networks, such as the internet. Prior methods for securing information for transmission over a public network have relied mainly on encryption, such as symmetric and asymmetric encryption algorithms, and authentication, such as Secure Socket Layer (SSL) and Secure Electronic Transaction (SET) protocols.
Symmetric encryption, or private-key encryption, such as Data Encryption Standard (DES) uses identical keys to encrypt and decrypt data. The method requires that the receiver of the encrypted data has, or will have, obtained the decryption key from the sender, or some third party. Asymmetric encryption, or public/private-key encryption, uses separate keys for encryption and decryption of data.
Authentication is used to "verify" the identity of the communication partner. This is important in electronic commerce since ensuring the identity of transaction partners is important in securing transactions. MIT's Kerberos is an example of an authentication protocol for private-key encryption. The protocol RSA, by RSA Data Security, Inc., is an example of public/private-key encryption authentication.
The problem with these security methods is that they rely completely on encryption. Past experience has proven that, when given enough time, encryption algorithms are broken. Once an encryption algorithm is broken, all past encrypted information is subject to exposure. Therefore, any process which is based solely on encryption is inherently prone to failure. Another problem with encryption is that it is CPU intensive. Transmitting large amounts of encrypted information, such as computer software, is currently not practical.
A public network, such as the internet, requires a method for overcoming the major weakness of encryption, exposure by future unauthorized decryption. In addition, a secure manner of delivering large volumes of private data is needed.